Re: Struts 2.3 fix for s2-052?
2017-09-06 18:40 GMT+02:00 William Stranathan: > Any ETA? Under way to the Central and mirrors Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.3 fix for s2-052?
Any ETA? On Wed, Sep 6, 2017 at 10:15 AM Lukasz Lenartwrote: > 2017-09-06 16:12 GMT+02:00 Emi : > > Hello, > >> > >> I finally read your email where you gave the dist URL for the dev > release. > > > > This is the release that I should use for 2.3 right? > > > > https://dist.apache.org/repos/dist/dev/struts/2.3.34/ > > Yes, it should be officially released and announced soon > > > Regards > -- > Łukasz > + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
Re: Struts 2.3 fix for s2-052?
Incidentally, the wiki points out that 2.3 is vulnerable, but http://struts.apache.org/docs/s2-052.html still only states 2.5. On Wed, Sep 6, 2017 at 10:15 AM Lukasz Lenartwrote: > 2017-09-06 16:12 GMT+02:00 Emi : > > Hello, > >> > >> I finally read your email where you gave the dist URL for the dev > release. > > > > This is the release that I should use for 2.3 right? > > > > https://dist.apache.org/repos/dist/dev/struts/2.3.34/ > > Yes, it should be officially released and announced soon > > > Regards > -- > Łukasz > + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
Re: Struts 2.3 fix for s2-052?
2017-09-06 16:12 GMT+02:00 Emi: > Hello, >> >> I finally read your email where you gave the dist URL for the dev release. > > This is the release that I should use for 2.3 right? > > https://dist.apache.org/repos/dist/dev/struts/2.3.34/ Yes, it should be officially released and announced soon Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.3 fix for s2-052?
Hello, I finally read your email where you gave the dist URL for the dev release. This is the release that I should use for 2.3 right? https://dist.apache.org/repos/dist/dev/struts/2.3.34/ Thanks. I tested against the struts2-rest-showcase app, a URL that was vulnerable in other versions. I also manually built just struts2-core, rest-plugin, config-browser, and rest-showcase apps, and attempted the exploit against that as well, and that also gave the exception around class permissions (the exception it should throw when deserialization attempts to instantiate a non-allowed class). On Wed, Sep 6, 2017 at 9:42 AM Lukasz Lenartwrote: 2017-09-06 12:37 GMT+02:00 Lukasz Lenart : Here is the full info http://markmail.org/message/5xuhb2vwc7iagjjr William, how does your test pass? Regards -- Łukasz + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.3 fix for s2-052?
Thanks a lot! 2017-09-06 15:56 GMT+02:00 William Stranathan: > I finally read your email where you gave the dist URL for the dev release. > I tested against the struts2-rest-showcase app, a URL that was vulnerable > in other versions. > > I also manually built just struts2-core, rest-plugin, config-browser, and > rest-showcase apps, and attempted the exploit against that as well, and > that also gave the exception around class permissions (the exception it > should throw when deserialization attempts to instantiate a non-allowed > class). > > On Wed, Sep 6, 2017 at 9:42 AM Lukasz Lenart > wrote: > >> 2017-09-06 12:37 GMT+02:00 Lukasz Lenart : >> > Here is the full info >> > http://markmail.org/message/5xuhb2vwc7iagjjr >> >> William, how does your test pass? >> >> >> Regards >> -- >> Łukasz >> + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ >> >> - >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> >> - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.3 fix for s2-052?
I finally read your email where you gave the dist URL for the dev release. I tested against the struts2-rest-showcase app, a URL that was vulnerable in other versions. I also manually built just struts2-core, rest-plugin, config-browser, and rest-showcase apps, and attempted the exploit against that as well, and that also gave the exception around class permissions (the exception it should throw when deserialization attempts to instantiate a non-allowed class). On Wed, Sep 6, 2017 at 9:42 AM Lukasz Lenartwrote: > 2017-09-06 12:37 GMT+02:00 Lukasz Lenart : > > Here is the full info > > http://markmail.org/message/5xuhb2vwc7iagjjr > > William, how does your test pass? > > > Regards > -- > Łukasz > + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
Re: Struts 2.3 fix for s2-052?
2017-09-06 12:37 GMT+02:00 Lukasz Lenart: > Here is the full info > http://markmail.org/message/5xuhb2vwc7iagjjr William, how does your test pass? Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.3 fix for s2-052?
Ah.. right, I forgot about that 2017-09-06 13:11 GMT+02:00 William Stranathan: > And yes, it looks like the Jenkins builds have been failing for quite some > time: > https://builds.apache.org/view/S-Z/view/Struts/job/Struts-support-2-3-JDK6/lastBuild/console > (that > error message is not too dissimilar from the one I get with JDK 7 in the > same module). > > On Wed, Sep 6, 2017 at 7:04 AM William Stranathan > wrote: > >> Well, I tried with the 2.3.35 Core snapshot (dated September 6), and the >> 2.3.34 snapshot of the rest-plugin dated August 12. >> >> I just did a build of only the bits needed to get the rest-showcase >> running (so mvn install, when that fails, mvn install -f >> plugins/rest-plugin/pom.xml, then app/rest-showcase), and that fails with >> the correct permission message. >> >> On Wed, Sep 6, 2017 at 6:38 AM Lukasz Lenart >> wrote: >> >>> 2017-09-06 12:31 GMT+02:00 William Stranathan : >>> > Odd - when I tested the snapshots, they were still vulnerable. I'm not >>> able >>> > to get it to build from source (now some odd javac access exception). >>> >>> Strange, do you have a date of the snapshot? Maybe Jenkins stopped >>> publishing them. >>> >>> > Where do I get the bits for testing 2.3.34, if not the snapshots? >>> >>> Here is the full info >>> http://markmail.org/message/5xuhb2vwc7iagjjr >>> >>> >>> Thanks & regards >>> -- >>> Łukasz >>> + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ >>> >>> - >>> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >>> For additional commands, e-mail: user-h...@struts.apache.org >>> >>> - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.3 fix for s2-052?
2017-09-06 13:04 GMT+02:00 William Stranathan: > Well, I tried with the 2.3.35 Core snapshot (dated September 6), and the > 2.3.34 snapshot of the rest-plugin dated August 12. > > I just did a build of only the bits needed to get the rest-showcase running > (so mvn install, when that fails, mvn install -f > plugins/rest-plugin/pom.xml, then app/rest-showcase), and that fails with > the correct permission message. Looks like something is broken with publishing the latest SNAPSHOTS This contains only month old builds https://repository.apache.org/content/groups/snapshots/org/apache/struts/struts2-rest-plugin/2.3.34-SNAPSHOT/ Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.3 fix for s2-052?
And yes, it looks like the Jenkins builds have been failing for quite some time: https://builds.apache.org/view/S-Z/view/Struts/job/Struts-support-2-3-JDK6/lastBuild/console (that error message is not too dissimilar from the one I get with JDK 7 in the same module). On Wed, Sep 6, 2017 at 7:04 AM William Stranathanwrote: > Well, I tried with the 2.3.35 Core snapshot (dated September 6), and the > 2.3.34 snapshot of the rest-plugin dated August 12. > > I just did a build of only the bits needed to get the rest-showcase > running (so mvn install, when that fails, mvn install -f > plugins/rest-plugin/pom.xml, then app/rest-showcase), and that fails with > the correct permission message. > > On Wed, Sep 6, 2017 at 6:38 AM Lukasz Lenart > wrote: > >> 2017-09-06 12:31 GMT+02:00 William Stranathan : >> > Odd - when I tested the snapshots, they were still vulnerable. I'm not >> able >> > to get it to build from source (now some odd javac access exception). >> >> Strange, do you have a date of the snapshot? Maybe Jenkins stopped >> publishing them. >> >> > Where do I get the bits for testing 2.3.34, if not the snapshots? >> >> Here is the full info >> http://markmail.org/message/5xuhb2vwc7iagjjr >> >> >> Thanks & regards >> -- >> Łukasz >> + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ >> >> - >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> >>
Re: Struts 2.3 fix for s2-052?
Well, I tried with the 2.3.35 Core snapshot (dated September 6), and the 2.3.34 snapshot of the rest-plugin dated August 12. I just did a build of only the bits needed to get the rest-showcase running (so mvn install, when that fails, mvn install -f plugins/rest-plugin/pom.xml, then app/rest-showcase), and that fails with the correct permission message. On Wed, Sep 6, 2017 at 6:38 AM Lukasz Lenartwrote: > 2017-09-06 12:31 GMT+02:00 William Stranathan : > > Odd - when I tested the snapshots, they were still vulnerable. I'm not > able > > to get it to build from source (now some odd javac access exception). > > Strange, do you have a date of the snapshot? Maybe Jenkins stopped > publishing them. > > > Where do I get the bits for testing 2.3.34, if not the snapshots? > > Here is the full info > http://markmail.org/message/5xuhb2vwc7iagjjr > > > Thanks & regards > -- > Łukasz > + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
Re: Struts 2.3 fix for s2-052?
2017-09-06 12:31 GMT+02:00 William Stranathan: > Odd - when I tested the snapshots, they were still vulnerable. I'm not able > to get it to build from source (now some odd javac access exception). Strange, do you have a date of the snapshot? Maybe Jenkins stopped publishing them. > Where do I get the bits for testing 2.3.34, if not the snapshots? Here is the full info http://markmail.org/message/5xuhb2vwc7iagjjr Thanks & regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.3 fix for s2-052?
Odd - when I tested the snapshots, they were still vulnerable. I'm not able to get it to build from source (now some odd javac access exception). Where do I get the bits for testing 2.3.34, if not the snapshots? On Wed, Sep 6, 2017 at 1:36 AM Lukasz Lenartwrote: > 2017-09-06 6:22 GMT+02:00 William Stranathan : > > Struts 2.3 is also vulnerable to the s2-052 RCE. However, there's no 2.3 > > patch available yet. I've tried with the latest snapshots, and those are > > also vulnerable. > > > > Is there a fix for this vulnerability on the 2.3 stream forthcoming? > > I have called for a vote just now, 2.3.34 contains all the backports > from 2.5.13 related to the security vulnerabilities. Please test and > report back. > > > Regards > -- > Łukasz > + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
Re: Struts 2.3 fix for s2-052?
2017-09-06 6:22 GMT+02:00 William Stranathan: > Struts 2.3 is also vulnerable to the s2-052 RCE. However, there's no 2.3 > patch available yet. I've tried with the latest snapshots, and those are > also vulnerable. > > Is there a fix for this vulnerability on the 2.3 stream forthcoming? I have called for a vote just now, 2.3.34 contains all the backports from 2.5.13 related to the security vulnerabilities. Please test and report back. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Struts 2.3 fix for s2-052?
Struts 2.3 is also vulnerable to the s2-052 RCE. However, there's no 2.3 patch available yet. I've tried with the latest snapshots, and those are also vulnerable. Is there a fix for this vulnerability on the 2.3 stream forthcoming?